Pinned topicClient Cert Problem

‏2012-09-25T07:13:43Z
|Tags:

Answered question
This question has been answered.

Unanswered question
This question has not been answered yet.

Hi,
we want to use Client Certificates to logon to the RDz z/OS daemon.
Our certs are stored on a smartcard and the smartcard folks provied us with the following parameters for the "Client Certificates" section:
Java Cryptography Extension (JCE) Provider IBMPKCS11Impl-xxxPKI
Keystore Type PKCS11IMPLKS
hostIdMappings Object Identifier (OID) 1.3.18.0.2.18.1
When we try to logon everything we get is a popup that says:
"set up your certificate"

It seems as that there is no connection attempt, so I think, that this is a client issue

What are we missing?
Is there any was to trace whats going on in the RDZ client?

Re: Client Cert Problem

Hi Thomas,
You will need to obtain the driver for the IBMPKCS11Impl-xxxPKI jce provider and update the RDz java security configuration to recognize that driver.

Since I don't know the name of your specific driver, I have provided some generic instructions that may assist you in the configuration of your environment. Also, check with your smart card folks to see if they have documented how to configure your java environment on the client system to interact with the smartcard. Remember to restart RDz once you make the changes:

********************
Copy the driver to the corresponding location in the IBM JDK folders that is shipped with RDz.

The .jar file needs to go to the <RDz85InstalledImage>\jdk\jre\lib\ext directory where <RDz85InstalledImage> is the location where RDz 8.5 is installed
The .dll file needs to go to the <RDz85InstalledImage>\jdk\jre\bin directory

2) You also need to edit the file java.security in the <RDz85InstalledImage>\jdk\jre\lib\security directory. The section to modify looks like this

Re: Client Cert Problem

Hey Thomas,
There is a mismatch in the name of the cfg file (*xxpki*.cfg) and the JCE provider name specified in the Client Certificates preferences (Java Cryptography Extension (JCE) Provider IBMPKCS11Impl-*xxxPKI*). Try removing the extra "x" from the JCE provider in the Client Certificates preferences and restarting RDz to see if this makes a difference.

Re: Client Cert Problem

You have probably done this already but just to make sure. Click on Windows -> Preferences -> Client Certificates and make sure you have the Preferences for Client Certificate information entered here.